Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: How to build an ISA firewall lab with Virtual PC 2004

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> RE: How to build an ISA firewall lab with Virtual PC 2004 Page: <<   < prev  1 [2]
Login
Message << Older Topic   Newer Topic >>
RE: How to build an ISA firewall lab with Virtual PC 2004 - 18.Jul.2006 11:03:06 AM   
Guest
 Hi!
I saw this article and these comments.
playing with virtual pc 2004 can be very very useful.
since I ran myself sometime ago into an exactly the same scenario I think I can
help a little here.
I hope I don't brake any rules here.
virtual pc 2004 can be very useful if you want to test or to learn about ISA Server.
so look how i did it:
first of all I have  a broadband router for my Internet connection with 4 LAN ports, a few host
and a wireless lan.
the router has DHCP  enabled  for certain MAC addresses.
I used for this test an AMD 2800+ Barton, 1 GB of RAM, a KT400 motherboard, a S-ATA
hard-disk and a  9700 Pro video card. For the virtual memory I allocated 3072 MB.
The operating system was XP SP2 Pro.
as you can see it isn't quite a modern system.
so the question is will it hold 4 VM?
sure!!
with all 4 VM running with default settings(just configured networking) and windows media player,
an antivirus I need about 950 MB of RAM and the processor is somewhere between 20-30% usage.
4 VM= 3 Windows 2003 Server R2 Trials + Windows XP SP2 Pro.
Explicit:  ISATest=Windows 2003 Server R2 Trial(with RAM settings 256 MB from VPC)
  DCTest=Windows 2003 Server R2 Trial(with RAM settings 128 MB from VPC)
  DMZTest=Windows 2003 Server R2 Trial(with RAM settings 128 MB from VPC)
  XPTest=Windows XP SP2 Pro(with RAM settings 64 MB from VPC).
Note: my Xp uses about 230-250 MB of RAM when it's running with no program, except the antivirus,
the sound manager, video card manager....
So what I did?
First install two loopback network card and as Stefaan said they only have virtual machines network
services enabled.
I've name them Loopback1 and Loopback2.
So: one network called Intern which comprises two computers DCTest and XPTest
one network called DMZ which containd DMZTest.
As it should the ISATest has three network adapters: Extern, Intern, DMZ.
My real network is 192.168.2.0 and the IP of the REALXP host on which is installed VPC is 192.168.2.3.
The default gateway is 192.168.2.1(the router).
On the REALXP host I only have 1 real network adapter( + 2 loopback addresses obviously).
The whole key in order to make this network works is to understand how this virtual networks communicate
with each other.
So for example if you use for a VM in VPC network settings your real network adapter and an IP from your
real network you should have conectivity to ALL YOUR NETWORK(you can ping your router, access Internet,
ping other real computers, you should be able to get your settings from your DHCP server). I set VM to get
its setting from DHCP router and it works just fine.
Now if you are using a loopback adapter, let's say Loopback1 for a host you should use a different network address,
192.168.10.0. The ideea is that if you use again this adapter for another VM you should an IP address from 192.168.10.0
because now all the host using the adapter are belonging to the same LAN.
If you messed things you will not be able to make them run as they should.
So use the two loopback adapters for two different Lan: Loopback1 for 192.168.10.0 for Intern; Loppback2 for 192.168.30.0
for DMZ. All the host from Intern are using Loopback1 and 192.168.10.0(DCTest and XPTest) and all the Host from DMZ are
using Loopback2 and 192.168.30.0(DMZTest).
Pay atention to ISATest. It has 3 network adapter: Loopback1, Real adapter, Loopback2. Keep the order!!!!(You can arrange them
how you like but the you got to stick to that order.)
In ISA desktop you will see in network connections something like that: Intel 21140-Based PCI Fast Ethernet Adapter (Generic),
Intel 21140-Based PCI Fast Ethernet Adapter (Generic)#2, Intel 21140-Based PCI Fast Ethernet Adapter (Generic)#3.
Keep the right order let's say: Loopback1 as Intel 21140-Based PCI Fast Ethernet Adapter (Generic)= Intern.
                               Real Adapter as Intel 21140-Based PCI Fast Ethernet Adapter (Generic)#2= Extern.
                               Loopback2 as Intel 21140-Based PCI Fast Ethernet Adapter (Generic)#3= DMZ.
If you don't keep the right order and bind the adapters random it will probably not work.
What are my settings:
ISATest:  Extern: 192.168.2.50, DG: 192.168.2.1.
    Intern: 192.168.10.1
    DMZ:    192.168.30.1
DCTest:   Intern:  192.168.10.2 DG: 192.168.10.1
XPTest:   Intern:  192.168.10.3 DG: 192.168.10.1
DMZTest: DMZ: 192.168.30.2 DG: 192.168.30.1
Now you shoud be able to ping  from DCTest  to: 192.168.10.1, 192.168.2.50, 192.168.30.1, 192.198.10.3. The rest will fail.
From ISATest ping works to: 192.168.10.2, 192.168.10.3, 192.168.30.2, 192.168.2.1. Everything.
From DMZ works to: 192.168.10.1, 192.168.30.1, 192.168.2.50. The rest will fail.
From XPTest works to: 192.168.10.1, 192.168.10.2, 192.168.30.1, 192.168.2.50. The rest will fail.
The ISATest is now like a router, so if you want to see that you can ping from let's say from 192.168.30.2 to 192.168.10.3
you should enable routing on ISATest.
How ? from Administrative tools/Routing and Remote Access. Right click on ISATest which is red and Enable.../Custom../Lan Routing.
Now ISATest turns into green.
Attention you will not be able to ping 192.168.2.1 from DMZTest or XPTest.
You can ping now from DMZTest to DCTest and XPTest and vice-versa because you've just enable LAN Routing.
If you want to access the Internet and the real LAN you must enable NAT like above just opt for NAT not for Custom Config.
Choose Extern as public interface and uncheck enable security... because you don't need this now.
Next select let's say Intern(you can add later any interface you want). At the next window check I will setup name and address
services later.
Now you can ping everything.
Of course for Internet or ping let's say "www.  .com" you will need to use some DNS servers, maybe from ISP or whatever.
You might try to ping from REALXP some VM.
Well this is another story.
The only thing you can actualy ping is 192.168.2.50. That it.
If you enable NAT in RRAS check in NAT/Basic Firewall on Extern if you are allowing ICMP.
Again what you can ping is 192.168.2.50.
So remember that I said  before that for Loopback1 and Loopback2 to set only virtual machine network services?
Well now go to these adapters and enable Client for Microsoft net, File and printer sharing, Internet Protocol and put some IP
addresses there like: Loopback1 192.168.10.10 255.255.255.0 and Loopback2 192.168.30.30 255.255.255.0.
If you didn't enable RRAS you can ping from 192.168.10.0 to 192.168.10.10 and from 192.168.30.0 to 192.168.30.30.
From REALXP you should be able to ping every VM. The rest remain unchanged.
If you enable RRAS Lan Routing remains unchanged like without any IP addresses on loopback adapters except you can
ping 192.168.2.3 from any VM.
Pay atention to NAT/Basic Firewall on Extern and see if you are allowing ICMP. With NAT everything remains unchanged
like without any IP addresses on loopback adapters.
I setup DC, DNS, DHCP servers in 192.168.10.0 and everything works beautiful. The client gets its settings from DHCP....
Obviously this talk about routing has little to do with your ISA lab. It's just to see that EVERYTHING works just fine and
you can use any IP you want(not just 192.168.0.0) and do a lot of things...
For a more in depth analyze of traffic use a traffic analyzer program.
The other settings in VPC networking(Local Only, shared Nat) restrict you too much and give you troubles.No ICS or other
stuff like this.
So do you need vmware?
No.
Maybe I've missed something. I have a tutorial with pictures and more details about VPC and ISA which I will post it somewhere.
Sorry if I've missed something.
Now you can enjoy and apply Mr. Shinder's articles on ISA and test ISA Server in depth.
Have fun.

< Message edited by adrian_dimcev -- 19.Jul.2006 3:23:01 PM >

(in reply to spouseele)
  Post #: 21
RE: How to build an ISA firewall lab with Virtual PC 2004 - 3.Aug.2006 9:26:09 PM   
vmorreale

 

Posts: 3
Joined: 3.Aug.2006
Status: offline 		Hi Adrian,

Do you have a tutorial with pictures and more detail about VPC and ISA?

Thanks
Vince

(in reply to Guest)
Post #: 22
RE: How to build an ISA firewall lab with Virtual PC 2004 - 3.Aug.2006 10:58:15 PM   
vmorreale

 

Posts: 3
Joined: 3.Aug.2006
Status: offline 		Adrian,

In additon to my last post reply, on which vm do you install ISA Server software?

Thanks
Vince
vmorreale@comcast.net

(in reply to Guest)
Post #: 23
RE: How to build an ISA firewall lab with Virtual PC 2004 - 4.Aug.2006 5:34:09 PM   
Guest
 Hi Vince!
what do you mean by "on which vm do you install ISA"
ISA Sever 2004 is installed on ISATest vm on a Win 2003 Server.

(in reply to vmorreale)
  Post #: 24
RE: How to build an ISA firewall lab with Virtual PC 2004 - 4.Aug.2006 5:42:31 PM   
vmorreale

 

Posts: 3
Joined: 3.Aug.2006
Status: offline 		I installed it on the DMZ test vm. Is this OK or do I need to install on ISA Test

I installed VMWARE, the free edition. I'v setup three subnets on ISA Test. One for DMZ, Internal and External. On ISA test on can ping all vm's. On the other vm's I can only ping devices on their subnets. I don't have Routing and Remote access running on ISA test. Please advise.

Thanks
Vince

(in reply to Guest)
Post #: 25
RE: How to build an ISA firewall lab with Virtual PC 2004 - 7.Aug.2006 5:54:28 PM   
Guest
 Hi Vince!
I'm glad to see you are using VMware.
please read once again carefully what I did.
I think you need to find out more about ISA and DMZ.
obviously you cannot install ISA on DMZTest.
check your e-mail

(in reply to vmorreale)
  Post #: 26
RE: How to build an ISA firewall lab with Virtual PC 2004 - 9.Aug.2006 4:12:25 PM   
Guest
 Vince
if you already install a vm in VPC you can import it in VMware from
file/import(I guess you are using VMware Server.)
Search for your .vmc files(tipically they are in "My Documents\My Virtual Machines").
the import option is quite old now and is very useful.

(in reply to Guest)
  Post #: 27
RE: How to build an ISA firewall lab with Virtual PC 2004 - 19.Aug.2006 5:20:25 PM   
Guest
 as with vmware virtual server which is free is pretty much the same
job.
the only difference is that here you don't have Microsoft Loopback Adapter
you have VMware Network Adapter (VMnet 0:9).
If you open the network settings "Host/Virtual Network Setting" and go to
"Host Virtual Adapters" you will see that are enabled by default vmnet1 and
vmnet8. The VMnet1 adapter is for host-only and the VMnet8 adapter is for NAT.
In "Host Virtual Network Mapping" if you click on the ">" on the right you can
enter the subnet range for each adapter and the DHCP scope.
If you have "Automatic bridging..." enabled in "Automatic Bridging" you will have
your real adapter or one of them if you got many bind to vmnet0. In this way you
give access to vm to your network.
So go to "Host Virtual Adapters" and add 2 more adapters vmnet2 and vmnet3.
To keep it like in VPC choose for vmnet2 192.168.10.0/24 and for vmnet3 192.168.30.0/24.
vmnet2 will be for Intern and vmnet3 for DMZ.
For Extern you will have vmnet0 which for me was bind automatically to my only real Nic.
You can disable DHCP and NAT from vmware.
Go on machine settings and for ISATest add three network adapters and set them like this:
1:bridge; 2:vmnet2; 3:vmnet3.
For DCTest one adapter: vmnet2.
For DMZTest one adapter: vmnet3.
For XPTest one adapter: vmnet2.
Then start your vm and add IP addresses on them just like in VPC.
Keep the order of adapters for ISATest when adding IP addresses.
After that everything is pretty much he same as in VPC.
The same with routing and sharing you Extern adapter.
As I said before you can import any vm from VPC but attention with your IP addresses because
vmware will keep the IP settings for each Nic from VPC but you will not see that adapters
because "they are no longer on the computer(vm)". You will get a notice if you will put the same
IP addresses. There is no problem with that if you are not having enable the Loopback adapters
when running vmware.
If you go to microsoft site you will be noticed that ISA 2004 is not supported in their VPC or
Virtual Server because can behave as not expected:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/unsupportedconfigs.mspx
Also Tom recommends in one of his books vmware:
http://tinyurl.com/rkrre
greets!

< Message edited by adrian_dimcev -- 19.Aug.2006 5:25:37 PM >

(in reply to Guest)
  Post #: 28
RE: How to build an ISA firewall lab with Virtual PC 2004 - 19.Aug.2006 6:38:17 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Adrian,

First of all, you said
quote:

If you go to microsoft site you will be noticed that ISA 2004 is not supported in their VPC or
Virtual Server because can behave as not expected:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/unsupportedconfigs.mspx

It's correct that ISA 2004 is not supported either on Virtual PC, Server or VMWare, certainly not for a production environment. However, running ISA 2004 on a virtual system is strongly recommended for demonstration, training and lab environment. The Microsoft people do it all the time themselves!  

Secondly, may I ask not to further hijack this topic. I suggest you create your own topic or maybe write an article how to setup an ISA lab in VMWare. Of course, you may link to my article and related topic.

Thanks,
Stefaan

(in reply to Guest)
Post #: 29
RE: How to build an ISA firewall lab with Virtual PC 2004 - 19.Aug.2006 8:16:49 PM   
Guest
 Hi Stefaan!
Sorry!

(in reply to spouseele)
  Post #: 30
RE: How to build an ISA firewall lab with Virtual PC 2004 - 6.Mar.2008 6:28:35 PM   
daja

 

Posts: 1
Joined: 6.Mar.2008
Status: offline 		Hello,
This manual(tutorial) doesn't work in my case.
I Have installed all of the machines in exact order,create 2 loopback adapters and set only the virtual machine network services.
I have only Integrated Lan adapter on my mobo therefore I'm not going to have internet for my virtual network,but this is not crucial.
On my Isa Server( settings in virtual Pc) I set up three ( 3 ) network adapters : Loopback,Realtek Via RHine II fast ethernet adapter,Loopback #2 - in that order.
Then inside the Isa Server Machine I open the Network connections and configure network adapters in the following way:
Intel 21140...generic IP 192.168.22.15
SM 255.255.255.0
Intel 21140...generic #2 Nothing,Because I don't have
broadband internet (i.e adsl,cable,...)
Intel 21140...generic #3 IP 192.168.33.15
SM 255.255.255.0
Then I build 3-leg perimeter network template choosing the following:
For Internal network I choose Add adapter...option and select Intel 21140...generic
For Perimeter Network IP adresses I have selected a Intel 21140...generic #3
For firewall policy I choose Allow unrestricted access.
My problems are:
I can't ping Internal and Isa Server. I can't ping Internal and Perimeter.All of the network computers are in the workgroup named WORKGROUP.Where is my fault.Why my network doesn't work.

Help

(in reply to spouseele)
Post #: 31

Page:   <<   < prev  1 [2] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> RE: How to build an ISA firewall lab with Virtual PC 2004 Page: <<   < prev  1 [2]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts